0

I have to send credentials to authenticate on the server (windows authentication) for my application: 

with-credentials = true

The problem is that my clients are mobile devices, and I can't tell to the server in Access-Control-Allow-Origin the origin domains.

I would like to do that:

Access-Control-Allow-Origin = *

But I know it is not possible because of security issues.

How can I do that with HTTP?

PS: I am using a server in ASP.NET and clients are made with Ionic (Angular). Currently, I am using a temporary solution:

Access-Control-Allow-Origin = localhost:8100

But when I will deploy the application it won't work on real devices.

bobier2
  • 127
  • 10
  • So do you expect that origin of domain will be different when you go live? Like when you test its clear why you need that since you use localhost, but in live scenario - why do you think you need CORS for *? – Sergey Rudenko Jul 02 '18 at 21:52
  • I am not sure of whether or not it works on real devices because I can't test it for now (The server is currently only running on my localhost). Yes, I suppose that origin domain will be different because it will come from mobile devices with an IP adress. Moreover, if my request is sent with the credentials option set to true, I must use CORS, and say what is the origin of the request. – bobier2 Jul 03 '18 at 11:10
  • I found a solution here : https://stackoverflow.com/questions/51384937/can-i-make-an-ajax-jquery-post-request-with-ionic/51397800#51397800 – bobier2 Jul 18 '18 at 09:04

2 Answers2

2

From enable-cors.org:

CORS In ASP.NET

If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:

Response.AppendHeader("Access-Control-Allow-Origin", "*");

See also: you can also Configure IIS6 / IIS7

Reference Taken

Community
  • 1
  • 1
Hitesh Anshani
  • 1,499
  • 9
  • 19
  • I already tried it in the we config and in the code, but by doing this, I get a CORS error : `Failed to load http://localhost/MyApp/Synchro/Connect: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8100' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.` Even if I set with-credentials to false in my client request and on the response, I still get this error. – bobier2 Jul 03 '18 at 12:41
  • By the way, I can configure IIS, but I need to keep the windows authentification and I can't precise origins. Maybe there's a solution with IIS ? – bobier2 Jul 03 '18 at 12:45
  • Refers the links u need to add some lines in webconfig @bobier2 – Hitesh Anshani Jul 03 '18 at 13:17
  • I already have those lines ! ` ` – bobier2 Jul 03 '18 at 13:25
  • you have added at the root of your application or site right? – Hitesh Anshani Jul 03 '18 at 13:41
  • Yes, it is in the Web.config file. – bobier2 Jul 03 '18 at 14:33
  • ohkay now IIS will taken care – Hitesh Anshani Jul 03 '18 at 14:36
  • Those lines are detected but I can't combine both `Access-Control-Allow-Origin = *` and `Access-Control-Allow-Credentials = true` because of the CORS error. The problem is that I need to use both : the first one because origins are mobile clients and I can't precise each IP, and the second one because I have to make a windows authentication on my server (If I set it to false I get that 401 error). – bobier2 Jul 03 '18 at 14:41
  • at the end, mobile users will use your web application right in phones – Hitesh Anshani Jul 03 '18 at 14:44
  • Yes, that's it. The mobile app send a post request to the server (it proceeds to the windows authentication with windows credentials). However, it seems that the server needs to know origins to allow them to access the web services. At least, that's how I understood the things. If I remove the allow-origins line I get a 401 Unauthorized error. – bobier2 Jul 03 '18 at 14:54
0

Sometimes you need to check this wihtin your AuthorizeAttribute

// pre-flight request (OPTIONS) are always ok.
// https://stackoverflow.com/questions/26296779/chrome-v37-38-cors-failing-again-with-401-for-options-pre-flight-requests#28235624
   if (actionContext.Request.Method == System.Net.Http.HttpMethod.Options)
   {
       return true;
   }
AleksBla
  • 166
  • 1
  • 1
  • 7